Impact
The vulnerability is an SSRF flaw in the Live/test.php plugin of AVideo up to version 27.0. The statsURL parameter is not checked by isSSRFSafeURL() and can resolve to any URL, including private IPs and cloud metadata endpoints. An authenticated administrator can therefore read the contents of arbitrary URLs, which may expose IAM credentials, internal service responses, or network configuration data. This allows disclosure of confidential information but does not provide broader system compromise. The weakness is identified as CWE‑918.
Affected Systems
The affected product is AVideo, versions up to 27.0, specifically the Live/test.php plugin when accessed by users with admin privileges. No further vendor versions are listed.
Risk and Exploitability
The CVSS score of 6.1 indicates moderate severity. EPSS is not available, but the flaw is not listed in CISA’s KEV catalog, so public exploit availability is unknown. The attack requires legitimate admin credentials and the ability to submit a statsURL value, making the threat most significant in environments where administrators have excessive privileges or where the plugin is exposed to untrusted users. If exploited, attackers can retrieve sensitive internal information, potentially aiding further attacks. The lack of validation to protect private network ranges or cloud metadata services heightens the risk of accidental information disclosure.
OpenCVE Enrichment